Group signature system, method, device, and program

ABSTRACT

A signature device  2  creates encrypted data by encrypting a first element of a member certificate through use of a first random number and public information disclosed by said group management device  1 . The signature device  2  also creates first and second converted data by converting the first element through use of a random number and public information. The signature device  2  further creates knowledge signature data from which information concerning the first element, the second element, and the signature key will not be divulged, and outputs a group signature which contains the knowledge signature data together with a message. A verification device  3  verifies whether a group signature has been created by using a member certificate of one of the registered members in the group and a signature key, based on the message, the group signature, and the public information.

FIELD OF THE INVENTION

The present invention relates to a group signature system that allows any member belonging to a certain group to create or verify a signature proving that the signer is really a member of that group. More particularly, the invention relates to a group signature system with a function to distribute the group administrator's process privileges among two or more members.

DESCRIPTION OF THE RELATED ART

This type of group signature system is conventionally designed to allow a user, who belongs to a group consisting of a plurality of members, to create or verify a signature. This signature is generated in such a manner that a verifier can confirm that the signer is one of the members of this group but does not know which individual in the group signed the document. To deal with possible emergency situations, a group signature system has a function to identify the signer from a given signature when necessary (hereinafter referred to as “tracking”).

In a typical group signature system, an entity called the group administrator exists, who is responsible for registration of new members into the group and for tracking of signers. Registration of group members and tracking of signers for group signatures in the group signature system are always performed under the privileges of the group administrator. Granting all the privileges to the group administrator, however, may not be appropriate for reasons of system security.

If the group administrator attempts to commit fraud, this group signature system will not be able to prevent it. For example, the group administrator can add an individual to the group for fraud purposes and have that member create a signature whose signer is not identifiable.

One viable method of minimizing the possibilities of such fraud and improving the reliability of the group signature system is to assign the roles of group administrator to more than one entity, rather than granting the entire authority to a single individual serving as the group administrator.

As a way of realizing this in a conventional group signature system, it is proposed to divide the functions of the group administrator into two: member administrator, who is authorized to register a new user into the group, and member tracker, who is authorized to identify the signer of a group signature. The group signature systems described in Literature 1 and Literature 2 are capable of such division of the group administrator.

This system further improves the reliability of the member administrator and member tracker by providing a means to distribute their respective privileges among a plurality of entities, so that multiple member administrators or multiple member trackers may work together to accomplish their respective functions.

In the first prior art, proposed in G. Ateniese and R. de Medeiros, “Efficient Group Signatures without Trapdoors,” In Advances in Cryptology—ASIACRYPT 2003, LNCS 2894, pp. 246-268, Springer-Verlag, 2003 (hereinafter referred to as “Literature 1”), public keys and private keys used by the member administrator are selected from a cryptosystem based on the discrete logarithm problems for a multiplicative group on a finite field, as described in ElGamal, “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms” (IEEE Trans. on Information Theory, IT-31,4, pp. 469-472). In the second prior art, proposed in G. Ateniese, J. Camenisch, M. Joye and G. Tsudik, “A Practical and Provable Secure Coalition-Resistant Group Signature Scheme,” In Advances in Cryptology—CRYPTO2000, LNCS 1880, pp. 255-270, Springer-Verlag, 2000 (hereinafter referred to as “Literature 2”), public keys and private keys used by the member administrator are selected based on a cryptosystem, such as RSA encryption (“A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, Vol. 21, No. 2, pp. 120-126).

The group signature system according to the first prior art described in Literature 1 has a public information disclosing means and a signature device. FIG. 13 is a block diagram showing the configuration of a signature device in the group signature system according to the first prior art. With reference to FIG. 13, the signature device comprises a first random number generator 1201, a second random number generator 1202, a third random number generator 1203, a fourth random number generator 1204, a fifth random number generator 1205, a sixth random number generator 1206, a first encrypted data creation means 1207, a second encrypted data creation means 1208, a first converted data creation means 1209, a second converted data creation means 1210, a knowledge signature creation means 1211, a confidential information storage part 1212, a member information storage part 1213, a message input means 1214, and a signature output means 1215.

The first random number generator 1201 generates a random number for use by the first encrypted data creation means 1207.

The second random number generator 1202 generates a random number for use by the second encrypted data creation means 1208.

The third random number generator 1203 generates a random number for use by the first converted data creation means 1209 and outputs the random number to the signature output means 1215 for use as an element of a group signature.

The fourth random number generator 1204 generates a random number for use by the second converted data creation means 1210 and outputs the random number to the signature output means 1215 for use as an element of a group signature.

The fifth random number generator 1205 generates a random number for use by the second converted data creation means 1210 and outputs the random number to the signature output means 1215 for use as an element of a group signature.

The sixth random number generator 1206 generates a random number for use by the knowledge signature creation means 1211.

The first encrypted data creation means 1207 uses as input the random number generated by the first random number generator 1201 and the first element of a member certificate stored in the member information storage part 1212, to output encrypted data for the first element of the member certificate (hereinafter referred to as the “first encrypted data”) to the knowledge signature creation means 1211 and the signature output means 1215.

The second encrypted data creation means 1208 uses as input the random number generated by the second random number generator 1202 and the converted data from a signature key stored in the confidential information storage part 1213, to output the encrypted data from the first element of the signature key's converted data to the knowledge signature creation means 911 (*1211 ?) and the signature output means 1215.

The first converted data creation means 1209 uses as input the random number generated by the third random number generator 1203 and the first element of a member certificate stored in the member information storage part 1212, to output converted data from the first element of the member certificate (hereinafter referred to as the “first converted data”) to the knowledge signature creation means 1211 and the signature output means 1215.

The second converted data creation means 1210 uses as input the random number generated by the fourth and fifth random number generators 1204 and 1205 and the first element of a member certificate stored in the member information storage part 1212, to output the converted data from the first element of the member certificate (hereinafter referred to as the “second converted data”) to the knowledge signature creation means 1211 and the signature output means 1215.

The knowledge signature creation means 1211 uses as input the message inputted from by the message input means 1214, the random number generated by the sixth random number generator 1206, the first and second encrypted data, the first and second converted data, the first and second elements of the member certificate and the signature key, to output the knowledge signature data that can prove that the signer duly owns the member certificate and signature key without leaking information concerning the member certificate and signature key.

The member information storage part 1212 stores a member certificate for use in issuing a group signature. A member certificate consists of a first element and a second element.

The confidential information storage part 1213 stores a signature key.

The message input means 1214 inputs a message to which a signature will be added.

The signature output means 1215 outputs as a group signature the message, the first and second encrypted data, the first and second converted data, the third, fourth and fifth random numbers, and the knowledge signature data.

Using the configuration described above, the group signature system according to the first prior art can create a group signature.

The group signature system described in Literature 2 according to the second prior art has a group management device and a signature device.

The group management device has a public information disclosing means, a member information disclosing means, an RSA key generation means, discrete logarithm key generation means, a member registration confidential information storage part, a member tracking confidential information storage part, and a member registration means. The group management device performs the process of registering a group member and the process of identifying the actual signer from a given signature.

The public information disclosing means discloses public information used in the system to all the devices.

The member information disclosing means discloses information concerning the signature device acquired by the member registration means.

The RSA key generation means creates a public key and a private key using a method based on an RSA cryptosystem, outputs the public key to the public information disclosing means and the private key to the member registration confidential information storage part.

The discrete logarithm key generation means creates a public key and a private key from a cryptosystem based on a discrete logarithm problem. It then outputs the public key to the public information disclosing means and the private key to the member tracking confidential information storage part.

The member registration confidential information storage part stores the private key created by the RSA key generation means.

The member tracking confidential information storage part stores the private key created by the discrete logarithm key generation means.

The member registration means uses as input the private key stored in the member registration confidential information storage part, to output a member certificate necessary for the creation of a group signature to the signature device.

The signature device in turn creates a group signature using the member certificate acquired from the group management device.

The group management device according to the second prior art may be divided into two, member management device and member tracking device. In this case, the member management device needs to have an RSA key generation means, a member registration confidential information storage part, and a member registration means, while the member tracking device needs to have a discrete logarithm key generation means and a member tracking confidential information storage part.

The first problem with the first prior art is that if the group management device is divided into member management device and member tracking device, the member management device will have a function to identify the actual signer.

In the first prior art, the first converted data created by the first converted data creation means 1209 is a definite value dependent on the random number generated by the third random number generator 1203 (hereinafter referred to as the “third random number”) and the first element of the member certificate. The third random number is publicized later as an element of the group signature. This means that the member management device can identify the signer by first performing the same conversion as the first converted data creation means 1209 on all the disclosed member certificates on a round-robin basis, using as input information of all the disclosed member certificates and the third random number disclosed as an element of group signatures, and then figuring out the owner of the member certificate that matches the first converted data contained in the group signature which was outputted from the signature device.

The second problem with the second prior art is that if the member management device's process privileges are distributed among a plurality of entities, these entities will receive large loads, leading to a significant reduction in efficiency.

The second prior art selects a private key for use by the member management device based on an RSA cryptosystem. Distributed computation of RSA cryptosystems is known to be generally complex and hefty. It would be problematic if the loads generated by this large computational amount are applied to multiple entities.

One object of the present invention is to provide a secure group signature system in which the content of a member certificate will not be divulged to any third party. Another object of the present invention is to provide a group signature system that can ensure safe and reliable division of the group management device's functions into two, member management device and member tracking device, and that can efficiently distribute the functions of the member management device and the member tracking device among a plurality of entities.

SUMMARY OF THE INVENTION

In order to achieve the above-described objects, the group signature system of the invention creates a group signature proving that the signer is a member duly registered into the group; verifies whether the signer of the group signature thus created is really a member of said group; and comprises

a group management device that discloses public information for common use throughout the system in a referenceable manner from other devices,

a signature device that stores a member certificate containing a first element and a second element; creates encrypted data by encrypting said first element through use of a first random number and said public information disclosed by the group management device; creates first converted data by converting said first element through use of a second random number and the public information; creates second converted data by converting the first element through use of a third random number and the public information; creates knowledge signature data from a message to which a signature will be added, a fourth random number, said encrypted data, said first converted data, said second converted data, a signature key which is a private key to be used for the creation of a signature, said first element, and said second element; and outputs as a group signature said encrypted data, said first converted data, said second converted data, and said knowledge signature data, together with said message; and

a verification device that verifies whether said group signature has duly been created by using the first and second elements contained in the member certificate of one of the registered members in said group and said signature key, based on said message and said group signature outputted from said signature device and said public information disclosed by said group management device.

Said signature device may create said knowledge signature data in such a manner that it can be proved that said encrypted data, said first converted data, and said second converted data have been created from the same value and that information concerning said first element, said second element, and said signature key will not be divulged; and

said verification device may verify whether said group signature has been created by using the first and second elements contained in the member certificate of one of the registered members in said group and said signature key, without using information concerning said first element, said second element, and said signature key.

The group signature system of the invention may further have a member management device which, when registering a new member into said group, selects a member registration private key so that the key will be a generator of a finite field having the order of a prime number; uses a discrete logarithm as said member registration private key; obtains a member registration public key, which is a generator of a multiplicative group on a finite field, from said member registration private key; notifies said member registration public key as public information to said group management device; stores said member registration private key in itself; and creates a member certificate using such member registration private key and notifies it to said signature device.

Said member certificate may be a Nyberg-Rueppel signature which uses said signature key as a discrete logarithm and that is created by using said member registration private key on the converted data from said signature key.

Said group management device may, in addition to said public information, disclose said member information notified from said member management device in a referenceable manner from other devices.

The system of the present invention may further have a plurality of member sub-management devices which, when registering a new member into said group, assigns one of the distributed values for obtaining the required generator of a finite field having the order of a prime number as its own distributed member registration private key; stores said member registration private key in itself; and uses as a member registration public key the value having said generator as a discrete logarithm.

Said signature device acquires a member certificate by communicating with a plurality of said member sub-management devices, and

said group management device may acquire said member registration public key.

The system of the present invention further has a member tracking device that selects a member tracking private key so that the key will be a generator of a finite field having the order of a prime number; uses a discrete logarithm as said member tracking private key; obtains a member tracking public key that is a generator of a multiplicative group on a finite field from said member tracking private key; notifies said member tracking public key as said public information to said group management device; stores said member tracking private key in itself; during the process of identifying the signer of a group signature, decrypts the encrypted data contained in said group signature by using said member tracking private key; and, if the result of decryption matches the first element of one of said member certificates that have been disclosed by said group management device, identifies the member of such member certificate as the signer; and

said group management device may have disclosed said member certificate as said member information; and

said signature device, when creating said encrypted data by encrypting said first element, may use said member tracking public key as said public information.

The system of the present invention further has a plurality of member sub-tracking devices, wherein the distributed member tracking private key for each member sub-tracking device is the one to be assigned to itself, among the distributed values for obtaining the generator of a finite field having the order of a prime number; and that each obtains said distributed member tracking private key so that the member tracking public key has a discrete logarithm as the generator of said finite field and will be a generator of a multiplicative group on a finite field; and that each store said distributed member tracking private key in itself;

said signature device, when creating said encrypted data by encrypting said first element, may use said member tracking public key as said public information;

said group management device may have disclosed said member certificate as said member information; and

during the process of identifying the signer of a group signature, each of said member sub-tracking devices may identify the member of one of said member certificates as the signer, if the decryption result obtained from the result of performing a pre-determined calculation on the encrypted data contained in said member group signature by using each of their said distributed member tracking private keys matches the first element of one of said member certificates that have been disclosed by said group management device.

A finite field on an elliptic curve may be used instead of said multiplicative group on a finite field.

Thus, according to the present invention, the signature device can safeguard information concerning a member certificate by using a random number that will not be disclosed as an element of a group signature. The functions of the member management device are distributed among a plurality of member sub-management devices, and a private key used by the plurality of member sub-management devices to calculate a member certificate is selected from a cryptosystem based on a discrete logarithm problem. The functions of the member tracking device are distributed among a plurality of member sub-tracking devices, and a private key used by the plurality of member sub-tracking devices to identify the signer is selected from a cryptosystem based on a discrete logarithm problem.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram showing an example configuration of a group signature system according to the first embodiment of the present invention;

FIG. 2 is a block diagram showing another example configuration of a group signature system according to the first embodiment of the present invention;

FIG. 3 is a block diagram showing yet another example configuration of a group signature system according to the first embodiment of the present invention;

FIG. 4 is a diagram showing the relationship among the blocks forming a signature device according to the first embodiment of the present invention;

FIG. 5 is a diagram showing the relationship among the blocks comprising a signature device and the blocks comprising a member management device according to the first embodiment of the present invention;

FIG. 6 is a diagram showing the relationship between the block within a verification device and another device according to the first embodiment of the present invention;

FIG. 7 is a diagram showing the relationship between blocks comprising a member management device according to the first embodiment of the present invention;

FIG. 8 is a diagram showing the relationship among the blocks comprising a member tracking device according to the first embodiment of the present invention;

FIG. 9 is a diagram showing the relationship among the blocks comprising a member tracking device according to the first embodiment of the present invention;

FIG. 10 is a flow chart showing the operation of the group signature system of first embodiment according to the present invention when registering a member;

FIG. 11 is a flow chart showing the operation of the signature device of first embodiment according to the present invention when creating a group signature;

FIG. 12 is a block diagram showing an example configuration of a group signature system according to the second embodiment of the present invention; and

FIG. 13 is a block diagram showing the configuration of a signature apparatus in the group signature system of the first conventional art.

DESCRIPTION OF THE PREFERRED EMBODIMENT

The preferred embodiment of the present invention will now be described in detail by referring to the drawings.

FIG. 1 is a block diagram showing an example configuration of a group signature system according to the first embodiment of the present invention. With reference to FIG. 1, the group signature system of the first embodiment has a group management device 1, a signature device 2, and a verification device 3.

In another example configuration, the group signature system of the first embodiment may have a member management device in addition to the configuration in FIG. 1. FIG. 2 is a block diagram showing another example configuration of a group signature system according to the first embodiment of the present invention. With reference to FIG. 2, the group signature system of the first embodiment has, in addition to the configuration in FIG. 1, a member management device 4, wherein the member registration functions of the group management device 1 are divided.

In yet another example configuration, the group signature system of the first embodiment may have a member tracking device 5 in addition to the configuration in FIG. 2. FIG. 3 is a block diagram showing yet another example configuration of a group signature system according to the first embodiment of the present invention. With reference to FIG. 3, the group signature system of the first embodiment has, in addition to the configuration in FIG. 2, a member tracking device 5 wherein the member tracking functions of the group management device 1 are divided.

The example of system configuration in FIG. 3 will now be described. As shown in this figure, the member registration functions and the member tracking functions are divided from the group management device 1. The present invention, however, is not limited to this configuration and is also applicable to any configuration without these functions being divided.

With reference to FIG. 3, the group management device 1 has a public information disclosing means 101, a member information disclosing means 102, and a pre-processing means 103, and creates and discloses public information for use throughout the system.

The signature device 2 has a first random number generator 201, a second random number generator 202, a third random number generator 203, a fourth random number generator 204, an encrypted data creation means 205, a first converted data creation means 206, a second converted data creation means 207, a knowledge signature creation means 208, a message input means 209, a signature output means 210, a confidential information storage part 211, a member information storage part 212, a registration means 213, and a fifth random number generator 214, and creates a group signature after registering members.

The verification device 3 has a verification means 301, and verifies the validity of a given group signature.

The member management device 4 has a discrete logarithm key generation means 401, a member registration confidential information storage part 402, a member registration means 403, a first random number generator 404, and a second random number generator 405, and performs the process of registering group members.

The member tracking device 5 has a discrete logarithm key generation means 501, a member tracking confidential information storage part 502, a member tracking means 503, and a random number generator 504, and has a member tracking function to identify the actual signer from a given group signature.

In the group management device 1, the public information disclosing means 101 stores various kinds of public information outputted by the pre-processing means 103, the discrete logarithm key generation means 401, and the discrete logarithm key generation means 501, and discloses the public information for free reference by all the devices.

The member information disclosing means 102 stores member information created through communication between the member registration means 403 of the member management device 4 and the registration means 213 of the signature device 2, and discloses the public information for free reference by all the devices.

The pre-processing means 103 pre-determines a common constant to be used by this system and outputs the constant to the public information disclosing means 101.

FIG. 4 is a diagram showing the relationship among the blocks comprising a signature device according to the first embodiment of the present invention. FIG. 5 is a diagram showing the relationship among the blocks comprising a signature device and a member management device according to the first embodiment of the present invention.

In FIG. 4, the first random number generator 201 generates a first random number for use by the encrypted data creation means 205.

Similarly, the second random number generator 202 generates a second random number for use by the first converted data creation means 206. The third random number generator 203 generates a third random number for use by the second converted data creation means 207. The fourth random number generator 204 generates a fourth random number for use by the knowledge signature creation means 208.

The encrypted data creation means 205 uses as input the random number generated by the first random number generator 201 and the first element of a member certificate stored in the member information storage part 212, to encrypt the first element of the member certificate, and outputs the resultant encrypted data to the knowledge signature creation means 208 and the signature output means 210.

The first converted data creation means 206 uses as input the second random number generated by the second random number generator 202 and the first element of a member certificate stored in the member information storage part 212, to output converted data from the first element of the member certificate (hereinafter referred to as the “first converted data”) to the knowledge signature creation means 208 and the signature output means 210.

The second converted data creation means 207 uses as input the third random number generated by the third random number generator 203 and the first element of a member certificate stored in the member information storage part 212, to output converted data from the first element of the member certificate (hereinafter referred to as the “second converted data”) to the knowledge signature creation means 208 and the signature output means 210.

The knowledge signature creation means 208 uses as input the message inputted from the message input means 209, the fourth random number generated by the fourth random number generator 204, the encrypted data, the first converted data, the second converted data, the signature key stored in the confidential information storage part 211, the first and second elements of the member certificate stored in the member information storage part 212, the public information disclosed by the public information disclosing means 101, to output knowledge signature data that indicates that the individual possesses a member certificate and a signature key.

The message input means 209 outputs a message to which a signature will be added to the knowledge signature creation means 208 and the signature output means 210.

The signature output means 210 outputs as a group signature the message inputted from the message input means 209, the encrypted data, the first converted data, the second converted data, and the knowledge signature data.

The confidential information storage part 211 stores a signature key that is a private key to be used for signature generation.

The member information storage part 212 stores the member certificate acquired through communication with the member registration means 403 of the member management device 4.

In FIG. 5, the registration means 213 communicates with the member registration means 403 of the member management device 4, acquires a member certificate containing a signature of the member management device 4 by using as input the fifth random number outputted from the fifth random number generator 214, and outputs the member certificate to the member information storage part 212. The fifth random number generator 214 generates a fifth random number for use to input it in the registration means 213.

FIG. 6 is a diagram showing the relationship between the block within a verification device and another device according to the first embodiment of the present invention.

The verification means 301 uses as input a given group signature and the public information disclosed by the public information disclosing means 101 of the group management device 1, to verify whether the group signature has duly been outputted from the signature output means 210 of the signature device 2. The verification means 301 accepts the group signature only when the signature has duly been outputted from the signature output means 210; otherwise, it rejects the group signature.

Based on this, the verification means 201 (*301?) verifies whether or not a given group signature is a valid group signature created by a certain signature device by using a correct member certificate and a correct signature key. If the group signature is valid, the signature output means 210 accepts the signature and outputs a message indicating the acceptance of the signature; otherwise, the signature output means 210 rejects the signature and outputs a message indicating the rejection of the signature.

FIG. 7 is a diagram showing the relationship among the blocks comprising a member management device according to the first embodiment of the present invention.

With reference to FIG. 7, the discrete logarithm key generation means 401 receives a random number from the first random number generator 404; using the random number, calculates a public key and a private key based on the discrete logarithm problem for a multiplicative group on a finite field; stores the private key as the member registration private key in the member registration confidential information storage part 402; and outputs the public key as the member registration public key to the public information disclosing means 101 of the group management device 1.

The member registration confidential information storage part 402 stores the private key created by the discrete logarithm key generation means 401.

The first random number generator 404 outputs a random number to the discrete logarithm key generation means 401.

With reference to FIG. 5, the member registration means 403 communicates with the registration means 213 of the signature device 2; using as input a random number from the second random number generator 405 and a private key stored in the member registration confidential information storage part 402, issues to the signature device 2 a member certificate consisting of the first element and the second element; and outputs to the member information disclosing means 102 the member information for the signature device 2 acquired through communication with the signature device 2. A member certificate contains information proving that the holder is a member of the group and is used when the signature device 2 issues a group signature.

The second random number generator 405 outputs a random number to the member registration means 403.

FIGS. 8 and 9 each is a diagram showing the relationship among the blocks comprising a member tracking device according to the first embodiment of the present invention.

With reference to FIG. 8, the discrete logarithm key generation means 501 receives a random number from the random number generator 504; using the random number, calculates a public key and a private key based on the discrete logarithm problem for a multiplicative group on a finite field; stores as the member tracking private key the private key in the member tracking confidential information storage part 502; and outputs as the member tracking public key the public key to the public information disclosing means 101 of the group management device 1.

The member tracking confidential information storage part 502 stores the private key created by the discrete logarithm key generation means 501.

The random number generator 504 outputs a random number to the discrete logarithm key generation means 501.

With reference to FIG. 9, the member tracking means 503 identifies the signer of a group signature by using as input a group signature accepted by the verification means 301, the member information disclosed by the member information disclosing means 102, and private key stored in the member tracking confidential information storage part 502.

Detailed operation of the group signature system of the first embodiment will be described below.

First, as a pre-processing process, the pre-processing means 103 sets a public parameter to be commonly used throughout this system. The parameter set here will be used for key creation to be performed later by the signature device 2, the member management means 4, and the member tracking means 5.

In this pre-processing, a first prime number p, a second prime number q, and a third prime number P are selected. At this time, the values of p, q, and P are selected to satisfy the following relationship:

q|p−1, p|P−1

The bit counts for p, q, and P are recommended to be as follows, respectively:

|q|≧160, |p|≧1024, and |P|≧1024

At this time, a partial group G_(q) of the order q for a multiplicative group Z_(p*) having the order of p is considered. In addition, a partial group G_(q) of the order q for a multiplicative group Z_(p*). having the order of P is considered.

Then, from G_(p), a first generator g, a second generator h, and a third generator f are selected. At this time, g, h, and f are selected so that nontrivial α1, α2, and α3 that satisfy the equation “g^(α1)h^(α2)f^(α3)=1” will not be known.

Similarly, from G_(p), a fourth generator G and a fifth generator H are selected. At this time, G and H are selected so that nontrivial β1 and β2 that satisfy the equation “G^(β1)H^(β2)=1” will not be known.

A collision intractable hash function that converts an arbitrary bit row into k bits,

is selected. The value of k is recommended to be 160.

Finally, the first prime number p, the second prime number q, the third prime number P, the first generator g, the second generator h, the third generator f, the fourth generator G, the fifth generator H, and the collision intractable hash function

are outputted to the public information disclosing means 101.

Then, the member management device 4 uses the discrete logarithm key generation means 401 to create a pair of private and public keys based on a discrete logarithm problem, for use by the member registration means 403. This private key is a member registration private key, while the public key is a member registration public key.

In creating these keys, the first random number generator 404 randomly selects a member registration private key υ from a finite field Z_(q) having the order of the second prime number q that was selected by the pre-processing means 103, and inputs the key thus selected to the discrete logarithm key generation means 401. The discrete logarithm key generation means 401 then calculates a member registration public key

y=h^(υ) mod p

by using the second generator h and the member registration private key υ. In other words, in the calculation of public and private keys based on a discrete logarithm problem for a multiplicative group on a finite field, the public and private keys are selected so that the private key will be an arbitrary generator of a finite field having the order of a prime number and so that the public key will be a value having the private key as a discrete logarithm.

Finally, a member registration public key y is outputted to the public information disclosing means 101, and the member registration private key υ is securely stored in the member management confidential information storage part 402.

Similarly, the member tracking device 5 uses the discrete logarithm key generation means 501 to create a pair of private key and public key based on a discrete logarithm problem, for use by the member tracking means 503. This private key is a member tracking private key, while the public key is a member tracking public key.

In creating these keys, the random number generator 504 randomly selects a member tracking private key ε from a finite field Z_(q) having the order of the second prime number q that was created by the pre-processing means 103, and inputs the key thus selected to the discrete logarithm key generation means 501. The discrete logarithm key generation means 501 then calculates a member registration public key

e=g^(ε) mod p

by using the first generating element g and the member tracking private key ε. Finally, a member tracking public key e is outputted to the public information disclosing means 101, and the member tracking private key ε is securely stored in the member tracking confidential information storage part 502.

The process described above is performed when the system starts operation or when the system is initialized.

After the pre-processing and key creation processes, the signature device 2 communicates with the member management device 4 and acquires a signature key and a member certificate for later use when a signature is issued. A member certificate is a signature data created by, for example, following the signature method developed by Nyberg and Rueppel (“Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem,” Advances in Cryptology—EUROCRYPT '94, pp. 182-193), using as a signature key a random number selected by the fifth random number generator 214 of the signature device 2 and then using on the converted data from that signature key a member management private key calculated by the member management device 4. This signature data is called a “Nyberg-Rueppl signature.” This member certificate consists of a first element and a second element.

An example operation of the member registration means 403 and the registration means 213, both of which are responsible for issuing member certificates, will be described below.

FIG. 10 is a flow chart showing the operation of the group signature system of first embodiment according to the first embodiment when registering a member.

With reference to FIG. 10, in step A101, the registration means 213 of the signature device 2 first receives as a signature key for the signature device 2 one of the generators σ of a finite field Z_(q) having the order of the second prime number q that was created by the fifth random number generator 214.

Next, in step A102, the registration means 213 calculates

I_(U)=g^(σ) mod p

to obtain converted data from the signature key σ.

In step A103, the registration means 213 calculates knowledge signature data spk_(U), which indicates that the signature key σ is a discrete logarithm of the converted data I_(U) from the signature key in relation to the first generator g. The knowledge signature data spk_(U) can be created by using the method described in Schnorr, “Efficient Signature Generation by Smart Cards” Journal of Cryptology, 4, 3, pp. 161-174), as described below.

A random number λ is selected from a finite field Z_(q) and (c, s) are calculated using the equation below:

c:=

(g∥I _(U) ∥g ^(λ))

s:=λ−cσ mod q

The result of this calculation,

spk _(U)=(c,s)

is knowledge signature data.

In step A104, the registration means 213 creates identity verification data, which indicates that the signature device 2 has duly created the converted data I_(U) from the signature key and the knowledge signature data spk_(U). For this purpose, for example, a digital signature for a concatenated data set consisting of the converted data from the signature key and the knowledge signature data can be used.

When the digital signature function Sig_(U) is used, the identity verification data will be:

S _(U) =Sig _(U)(I _(U) ∥spk _(U))

With the digital signature function Sig_(U), a signature algorithm, such as a DSA or RSA signature, can be used.

The signature device 2 then transmits the converted data I_(U), knowledge signature data spk_(U), and identity verification data S_(U) to the member management device 4.

The member management device 4 verifies whether or not the knowledge signature data spk_(U) and the identity verification data S_(U) are correct (step A105). The knowledge signature data spk_(U) can be verified for correctness by confirming that the following equation holds.

c=

(g∥I _(U) ∥I _(U) ^(c) g ^(a))

The digital signature S_(U) can be verified for correctness by using the digital signature verification function Ver_(U) corresponding to Sig_(U) and confirming that the equation below holds:

Ver _(U)(S _(U) ,I _(U) ∥spk _(U))=1

The process can proceed only if both have passed the verification. Otherwise, the process is aborted.

After passing the verification, the member registration means 403 of the member management device 4 receives from the second random number generator 405 a generator p of a finite field Z_(q) having the order of the second prime number q selected randomly (step A106).

Next, in step A107, the member registration means 403 calculates a member certificate (γ, ξ) by using the random number ρ received, the member management private key υ stored in the member management confidential information storage part 402, and the second generator h disclosed by the public information disclosing means 101, as follows.

r:=I_(U)h^(ρ) mod p

ξ:=ρ−rυ mod q

Then the member management device 4 transmits the member certificate (γ, ξ) obtained from the calculation to the signature device 2.

In step A108, the signature device 2 verifies whether the obtained member certificate (γ, ξ) has been created correctly. This verification is made by confirming whether or not the equation below holds.

r=y^(r)g^(ρ)h^(ξ)

Once the verification is passed, the signature device 2 notifies the member management device 4 that the member certificate has been verified successfully (step A109). The signature device 2 then stores the signature key ρ in the confidential information storage part 211 and the member certificate (γ, ξ) in the member information storage part 212, respectively (step A110).

On receiving the verification success notification sent in step A109, the member management device 4 outputs to the member information disclosing means 102 a member list for presentation to the signature device 2, the list consisting of the converted data I_(U) from the signature key, the knowledge signature data spk_(U), the member certificate (γ, ξ) sent to the signature device 2, and the identity verification data S_(U) (step A111). This registration process must be performed for each signature device. This registration process is performed by each signature device.

After creating a member certificate and a signature key, the signature device 2 creates a group signature for an electronic document message m to which the group signature inputted from the message input means 209 should be inserted, following the procedure described below.

FIG. 11 is a flow chart showing the operation of the signature device of first embodiment according to the present invention when creating a group signature.

With reference to FIG. 11, in step A201, the first random number generator 201 generates a first random number τ from a finite field Z_(q), the second random number generator 202 generates a second random number ωfrom a finite field Z_(q), and the third random number generator 203 generates a third random number α from a finite field Z_(p).

Next, in step A202, the encrypted data creation means 205 uses as input the first random number τ, the first element γ of the member certificate, and the member tracking public key e, to calculate:

g′:=g^(τ) mod p

e′:=r ⁻¹ e ^(τ) mod p

These (g′, e′) are referred to as the encrypted data from the first element r of the member certificate.

Next, in step A203, the first converted data creation means 206 uses as input the second random number ω, the first element r of the member certificate, to calculate;

h′:=y^(r)f^(ω) mod p

This h′ is referred to as the first converted data from the first element r of the member certificate.

Next, in step A204, the second converted data creation means 207 uses as input the third random number a, the first element r of the member certificate, to calculate;

J:=G^(r)H^(a) mod P

This J is referred to as the second converted data from the first element r of the member certificate.

Information concerning the first element r of the member certificate will never be divulged even when the converted data is made public, because these encrypted and converted data were created by using random numbers as input.

This means that the first element r of the member certificate has been safeguarded by using random numbers.

Next, in step A205, the knowledge signature creation means 208 creates knowledge signature data.

Knowledge signature data can prove, by using a message m as input, that (i) the first converted data h′ and the second converted data J are the correct conversion from the first element r of the member certificate, (ii) both h′ and J are the results of converting the first element r of the same member certificate, (iii) the member certificate (r, ξ) has been duly acquired through communication with the member management device 4, (iv) the individual knows the signature key a associated with the member certificate (r, ξ), and (v) the encrypted data (g′, e′) are the results of duly encrypting the first element y of the member certificate using the member tracking public key e, while ensuring not to divulge information concerning the member certificate (r, ξ), the signature key ρ, the first random number τ, the second random number ω, or the third random number a.

Knowledge signature data in this embodiment proves that the individual knows (r, ξ, ρ, τ, ω, a) that satisfy the equation:

$\quad\left\{ \begin{matrix} {g^{\prime} = {g^{\tau}\mspace{11mu} {mod}{\; \;}p}} \\ {e^{\prime} = {r^{- 1}e^{\tau}\mspace{11mu} {mod}\mspace{11mu} p}} \\ {h^{\prime} = {y^{r}f^{\omega}\mspace{11mu} {mod}\mspace{11mu} p}} \\ {J = {G^{r}H^{a}\mspace{11mu} {mod}\mspace{11mu} p}} \\ {{e^{\prime}h^{\prime}} = {f^{\omega}g^{- \sigma}h^{- \xi}e^{\tau}{mod}\mspace{11mu} p}} \\ {r \in \left\lbrack {0,{p - 1}} \right\rbrack} \end{matrix} \right.$

without disclosing (r, ξ, σ, τ, ω, a) (that is, without divulging such information).

First, a random number φ2j−1, where 1≦j≦k, is selected from 0 to p−1. In addition,

φ_(2j):=φ_(2j-1) −p

is assumed. Next, it is confirmed whether

r+φ_(2j)∈[0,p−1]

holds or not. At this time, if

r+φ_(2j−1)∉[0,p−1] and r+φ_(2j)∈[0,p−1]

then φ_(2j-1) is replaced with φ_(2j), and the value is substituted so that

r+φ_(2j−1)∈[0,p−1]

will hold.

Random numbers, ψ2j−1, ψ2j, are selected randomly from a finite field Z_(q) and random numbers, η_(2j-1), η_(2j), from a finite field Z_(p). Using these random numbers, the equation below is calculated under the condition of 1≦j≦k.

V _(j) :=y ^(φ) ^(2j-1) f ^(ψ) ^(2j-1) ∥y ^(φ) ^(2j) f ^(ψ) ^(2j) ∥G ^(φ) ^(2j-1) H ^(η) ^(2j-1) ∥G ^(φ) ^(2j) H ^(η) ^(2j)

Next, generators, t1, t2, t3, t4, and t5, are selected randomly from a finite field Z_(q). Using these random numbers, the equation

T₁=y^(t) ¹ f^(t) ² mod p

T ₂ =f ^(t) ² g ^(−t) ³ h ^(−t) ⁴ e ^(t) ⁵ mod p

T₃:=g^(t) ⁵ mod p

is calculated.

A random number γj is selected from a finite field Z_(q) and a random number u_(j) from a finite field Z_(p), where 1≦j≦k.

e_(j):=e^(γ) ^(j) mod p

is calculated.

g_(j):=g^(γ) ^(j) mod p

J_(j):=G^(e) ^(j) H^(u) ^(j) mod P

is also calculated.

Based on the resultant values, the knowledge signature data shown below is calculated.

Also, if c[j]=0,

c:=

(g∥h∥f∥G∥H∥y∥e∥V ₁ ∥ . . . ∥V _(k) ∥T ₁ ∥T ₂ ∥T ₃ ∥g ₁ ∥ . . . ∥g _(k) ∥J ₁ ∥ . . . ∥J _(k) ∥m)

is calculated, and if c[j]=1,

v _(6j-5):=φ_(2j-1)

v _(6j-4):=φ_(2j)

v _(6j-3):=ψ_(2j-1)

v _(6j-2):=ψ_(2j)

v _(6j-1):=η_(2j-1)

v_(6j):=η_(2j)

ω_(j):=γ_(j) mod q

z_(j):=u_(j) mod p

is calculated, where c[j] represents the value of the j-th bit of c.

v _(6j-5) :=r _(U)+φ_(2j-1)

v _(6j-4) :=y ^(φ) ^(2jf) ^(ψ) ^(2j)

v _(6j-3):=ω+ψ_(2j-1)

v _(6j-2):=ψ₀∈_(U) Z _(q)

v _(6j-1):=α+η_(2j-1)

v_(6j):=G^(φ) ^(2j) H^(η) ^(2j)

ω_(j):=γ_(j) −r mod q

z _(j) :=u _(j) −ae _(j) r _(U) ⁻¹ mod p

The parts c and (v₁, v₂, v₃, v₄, v₅, v₆, . . . , v_(6k-5), v_(6k-4), v_(6k-3), v_(6k-2), v_(6k-1), v_(6k)) prove that the first element r of the member certificate has duly been converted by using the second random number c and the third random number a and that the two r's that have been converted in the two equations are identical to each other. This indicates that

h′=y^(r)f^(ω) mod p and J=G^(r)H^(a) mod P and r∈[0,p−1]

The parts c and (s1, s2, s3, s4, s5) prove that the member certificate (γ, ξ) and the signature key ω have duly been created. This indicates that

e′h′=f ^(ω) g ^(−σ) h ^(ξ) e ^(r) mod p and h′=y ^(r) f ^(ω) mod p and g′=g ^(r) mod p

The parts c and (w₁, . . . , w_(k), z₁, . . . , z_(k)) prove that the first element r of the member certificate that has been converted using the second converted data J has duly been encrypted using the encrypted data (g′, e′). This indicates that

J=G ^(r) H ^(a) mod P and g′=g ^(r) mod p and e′=r ⁻¹ e ^(r) mod p

Finally, in step A206, the signature output means 210 outputs as a group signature the encrypted data (g′, e′), the first converted data h′, the second converted data J, and the knowledge signature data (c, v₁, v₂, v₃, v₄, v₅, v₆, . . . v_(6k-5), v_(6k-4), v_(6k-3), v_(6k-2), v_(6k-1), v_(6k), s₁, s₂, s₃, s₄, s₅, w₁, . . . w_(k), z₁, . . . z_(k))

The verification means 301 confirms whether or not a given group signature has duly been created. This verification is achieved by verifying the knowledge signature data contained in the group signature.

In verifying knowledge signature data, whether or not the signer of a given group signature duly possesses a member certificate (r, ξ) and a signature key a created through communication with the member registration means 403, can be confirmed. Since the member certificate (r, ξ) and the signature key σ contained in the group signature data are safeguarded by using random numbers, information as to which one of the registered signature devices has created the signature is not disclosed even through the verification process.

The embodiment of the present invention verifies knowledge signature data by way of confirming whether or not the equation below holds:

$c:={\begin{pmatrix} {g{h}f{G}H{y}e{V_{1}^{\prime}}\ldots} \\ {{V_{k}^{\prime}}T_{1}^{\prime}{T_{2}^{\prime}}T_{3}^{\prime}{g_{1}^{\prime}}\ldots {g_{k}^{\prime}}J_{1}^{\prime}{\; \ldots \; }J_{k}^{\prime}{\; m}} \end{pmatrix}}$ ${where},{V_{j}^{\prime} = \left\{ {{\begin{matrix} \begin{matrix} {y^{v_{{6j} - 5}}f^{v_{{6j} - s}}{{y^{v_{\; {{6j} - 4}}}f^{v_{\; {{6j} - 2}}}}}} \\ {G^{v_{{6j} - 5}}H^{v_{{6j} - 1}}{}G^{v_{{6\; j} - 4}}H^{v_{6\; j}}} \end{matrix} & {{c\lbrack j\rbrack} = 0} \\ \begin{matrix} {y^{v_{{6j} - 5}}{H^{v_{{6j} - s}}/h^{\prime}}{v_{{6\; j} - 4}}} \\ {G^{v_{{6j} - 5}}{H^{v_{{6j} - 1}}/J}{}v_{6j}} \end{matrix} & {{c\lbrack j\rbrack} = 1} \end{matrix}T_{1}^{\prime}} = {{h^{\prime \; c}y^{s_{1}}f^{s_{2}}T_{2}^{\prime}} = {{\left( {e^{\prime}h^{\prime}} \right)^{c}f^{s_{2}}g^{- s_{3}}h^{- s_{4}}e^{s_{5}}T_{3}^{\prime}} = {{g^{\prime \; c}g^{s_{5}}g_{j}^{\prime}} = {{g^{\prime \; {c{\lbrack j\rbrack}}}g^{w_{j}}\mspace{11mu} {mod}\mspace{11mu} pJ_{j}^{\prime}} = \left\{ {\begin{matrix} {G^{{\overset{\_}{e}}_{j}^{\prime}}H^{z_{j}}\mspace{11mu} {mod}\mspace{11mu} P} & {{c\lbrack j\rbrack} = 0} \\ {J^{{\overset{\_}{e}}_{j}^{\prime}}H^{z_{j}}\mspace{11mu} {mod}{\; \;}P} & {{c\lbrack j\rbrack} = 1} \end{matrix}\left( {{{where}\mspace{14mu} {\overset{\_}{e}}_{j}^{\prime}}:={e^{\prime \; {c{\lbrack j\rbrack}}}e^{w_{j}}\mspace{11mu} {mod}\mspace{11mu} p}} \right)} \right.}}}}} \right.}$

If the knowledge signature data passes the verification, the group signature is accepted. If the knowledge signature data fails the verification, the group signature is rejected.

In the member tracking device 5, the member tracking means 503 identifies the actual signer of the group signature accepted by the verification device 301.

First, using the member tracking private key ε stored in the member tracking confidential information storage part 502,

r :=g′ ^(ε) /e′ mod p

is calculated. Then, from the encrypted data for a given group signature, the first element of the member certificate representing the signer of the signature, r is decrypted. At the same time, using the member tracking private key ε stored in the member tracking confidential information storage part 502, data, proving that the result of decryption, r is really the result of duly decrypting the encrypted data (g′, e′) using the member tracking private key ε, is created.

A random number δ is selected from a finite field Z_(q),

c:=

1029 (g′∥e′∥ r ⁻¹ e′∥g′ ^(δ))

s:=δ−cε mod q

is calculated, The resultant (c, s) is the proof data. By the voucher provided by this proof data, it is guaranteed that the member tracking device 5 has duly decrypted r from the group signature.

Next, a search is made from the member lists {<I_(U),spk_(U),r,ξ,S_(U)>} disclosed in the member information disclosing means 102, to find the member list (I_(U), spk_(U), r, ξ, S_(U)) containing the first element r that is the same as the first element of the decrypted member certificate shown below:

r

If found, the signature device corresponding to the matching member list is identified as the signer of the group signature.

In the present embodiment, the member management device 4 and the member tracking device 5 may be included in the group management device 1. It is also possible to use a finite field on an elliptic curve, instead of a multiplicative group on a finite field, which is used in the computation in the embodiment described above.

As described above, according to the present embodiment, information concerning member certificates is safeguarded in the encrypted data creation means 205, the first converted data creation means 206, and the second converted data creation means 207, by using random numbers that will not be disclosed later as an element of the group signature element. This makes it possible to provide secure and reliable group signatures, because devices that do not have confidential information necessary for member tracking are not able to acquire information concerning the signer from the group signature data. Furthermore, since the member management device 4 is not capable of identifying the signer of a given signature, it is possible to safely divide the functions of the group management device into two, member management device 4 and member tracking device 5.

The second embodiment of the present invention will now be described in detail referring to the drawings.

FIG. 12 is a block diagram showing an example configuration of a group signature system according to the second embodiment of the present invention. With reference to FIG. 12, the group signature system of the second embodiment has a group management device 1, a signature device 2, a verification device 3, a first to third member sub-management devices 6 to 8, and a first to third member sub-tracking device 9 to 11.

While this embodiment is described using an example that distributes the functions of the group management device into three member sub-management devices and three member sub-tracking devices, there is no limitation to the number of devices into which the functions can be distributed. The first to third member sub-management devices 6 to 8, and the first to third member sub-tracking devices 9 to 11 are connected among one another via a broadcast channel, respectively. The first to third member sub-management devices 6 to 8 distribute the functions among themselves to perform the process of registering group members. The first to third member sub-tracking devices 9 to 11 distribute the functions among themselves to perform the process of identifying from a group signature which member has created the signature.

The group management device 1 has the same configuration as its counterpart in the first embodiment and discloses public information for use commonly throughout the system. The signature device 2 has the same configuration as its counterpart in the first embodiment. The verification device 3 has the same configuration as its counterpart in the first embodiment.

Each of the first to third member sub-management devices 6 to 8 has a distributed discrete logarithm key generation means 601, 701, 801, a distributed registration confidential information storage part 602, 702, 802, a distributed member registration means 603, 703, 803, and a random number generator 604, 704, 804. For simplification, the following description takes as an example the member sub-management device 6.

The distributed discrete logarithm key generation means 601 generates through communication with another member sub-management device a distributed management private key for use by the distributed member sub-management means 603, and outputs the resultant key to the distributed registration confidential information storage part 602.

The distributed registration confidential information storage part 602 stores the distributed registration private key generated by the distributed discrete logarithm key generation means 601.

The distributed member registration means 603 communicates with a signature device 2 and issues a member certificate to that signature device 2. It should be noted that a member certificate issued by the distributed member registration means 603 does not by itself have a function of member certificate. The signature device 2 can calculate a member certificate for later use from a member certificate that it received from each member management device.

The random number generator 604 generates random numbers for use by the distributed discrete logarithm key generation means 601 and the distributed member registration means 603.

The first, second, and third member sub-tracking device 9, 10, 11 each has a distributed discrete logarithm key generation means 901, 1001, 1101, a distributed tracking confidential information storage part 902, 1002, 1102, a distributed member tracking means 903, 1003, 1103, and a random number generator 904, 1004, 1104. The following description is simplified by taking the member sub-tracking device 9 as a typical example.

The distributed discrete logarithm key generation means 901 generates a distributed tracking private key for use by the distributed member tracking means 903 through communication with another member sub-tracking device, and outputs the resultant key to the distributed tracking confidential information storage part 902.

The distributed tracking confidential information storage part 902 stores the distributed tracking private key generated by the distributed discrete logarithm key generation means 901.

The distributed member tracking means 903 communicates with another member sub-tracking device and, during the course of communication, uses as input the group signature accepted by the verification means 301 of the verification device 3, the distributed tracking private key stored by the distributed tracking confidential information storage part 902, and the member information disclosed by the member information disclosing means 102, to identify and output the signer of a given group signature.

The random number generator 904 generates random numbers for use by the distributed discrete logarithm key generation means 901 and the distributed member tracking means 903.

Detailed operation of the group signature system of the second embodiment will be described below.

First, similarly to the first embodiment, in a pre-processing process, the pre-processing means 103 of the group management device 1 generates public information

(p, q, P, g, h, f, G, H, )

and the public information disclosing means 101 discloses this information.

Next, each of the distributed discrete logarithm key generation means 601, 701, 801 of the first, second, and third member sub-management devices 6, 7, 8 creates a public key and a distributed private key for use for member registration, and stores the distributed private key in the distributed registration confidential information storage parts 602, 702, 802, respectively. It should be noted that a distributed private key does not by itself serve as a private key, but the three member sub-management devices 6, 7, 8, when all operate properly, can perform the function similar to the process of the first embodiment which is accomplished by using a member registration private key.

As an example for explaining the present embodiment, a key generation means following the distributed private key generation method for a cryptosystem based on a discrete logarithm problem, which is shown in Pedersen “A Threshold Cryptosystem without a Trusted Party” (Advances in Cryptology-EUROCRYPT '91, pp. 522-526), will be described below.

The first, second, and third member sub-management devices 6, 7, 8 each randomly selects a quadratic polynomial on Z_(q). Here, the first member sub-management device 6 selects a polynomial f₁(z).

f ₁(z)=a ₁₀ +a ₁₁ z+a ₁₂ z ² mod q

Similarly, the second and third member sub-management devices 7, 8 select f₂(z) and f₃(z), respectively.

The first member sub-management device 6 transmits

H₁₁=h^(a) ¹¹ mod p, H₁₂=h^(a) ¹² mod p, H₁₃=h^(a) ¹³ mod p

to the second member sub-management device 7 and the third member sub-management device 8.

Similarly, the second member sub-management device 7 transmits H₂₁, H₂₂, and H₂₃ to the first and third member sub-management devices 6, 8, while the third member sub-management device 8 transmits H₃₁, H₃₂, and H₃₃ to the first and second member sub-management devices 6, 7.

If a₁₀, a₂₀, and a₃₀ are notated as υ₁, υ₂, and υ₃, respectively, then υ₁, υ₂, and υ₃ each represents a distributed management private key for each of the member sub-management devices 6, 7, 8. In addition,

y₁=H₁₀=h^(υ) ¹ mod p, y₂=H₂₀=h^(υ) ² mod p, y₃=H₃₀=h^(υ) ³ mod p

are outputted to the public information disclosing means 101.

The first member sub-management device 6 transmits

υ ₁₂ =f ₁(2) mod q

to the second member sub-management device 7, and transmits

υ ₁₃ =f ₁(3) mod q

to the third member sub-management device 8, both confidentially so that the content of transmission will not be known to other devices.

Similarly, the second member sub-management device 7 transmits

υ ₂₁ =f ₂(1) mod q

to the first member sub-management device 6, and transmits

υ ₂₃ =f ₂(3) mod q

to the third member sub-management device 8, both confidentially so that the content of transmission will not be known to the other devices. The third member sub-management device 7 transmits

υ ₃₁ =f ₃(1) mod q

to the first member sub-management device 6, and transmits

υ ₃₂ =f ₃(2) mod q

to the second member sub-management device 7, both confidentially so that the content of transmission will not be known to the other devices.

By this, the first member sub-management device 6 receives from the second member sub-management device 7 H₂₁, H₃₂, H₂₃, and

υ ₂₁ and, from the third member sub-management device 8, H₃₁, H₃₂, and H₃₃ and υ ₃₁

The first member sub-management device 6 then verifies

υ ₂₁ and υ ₃₁ which have been received from the other member-sub management devices. This verification is achieved by confirming whether or not the equation below is satisfied.

h ^(υ) ²¹⁼⁽ H ₂₁)¹ ¹ ·(H ₂₂)¹ ² ·(H ₂₃)¹ ¹ mod p

h ^(υ) ³¹⁼⁽ H ₃₁)¹ ¹ ·(H ₃₂)¹ ² ·(H ₃₃)¹ ¹ mod p

If this verification fails, each member sub-management device notifies the failure to the source member sub-management device. A member sub-management device that has received a failure notification from both the other two member sub-management devices loses its role as an administrator.

If a member sub-management device receives notification of the failure of verification from only one of the other two member sub-management devices, for example, if the first member sub-management device 6 alone has failed the verification of the second member sub-management device 7, then the second member sub-management device 7 is assumed to satisfy the verification equation.

υ ₂₁ is transmitted to the first member sub-management device 6 again. If this υ ₂₁ fails to satisfy the verification equation for the first member sub-management device 6, then the second member sub-management device 7 loses its role as an administrator. If the second member sub-management device 7 ceases to be an administrator, this device proceeds to the subsequent process by assuming that υ₂=0 and y₂₌1.

A member registration public key y, which is commonly used by all the member sub-management devices, is calculated using the equation:

y=y ₁ ·y ₂ ·y ₃·mod p

More specifically, each of the member sub-management devices 6, 7, 8 obtains a registration public key and a distributed registration private key in such a manner that its own distributed registration private key is the one to be assigned to itself, among the distributed values for obtaining the generator of a finite field having the order of a prime number and that the registration public key is a value having as its discrete logarithm a generator to be established from a plurality of distributed registration private keys. At this time, the registration public key is a generator of a multiplicative group on a finite field.

The public key y is then disclosed by the public information disclosing means 101 of the group management device 1. The first, second, and third member sub-management devices 6, 7, 8 store υ₁, υ₂, and υ₃, respectively, as distributed registration private keys in the respective distributed registration confidential information storage part 602, 702, 802.

Similarly, the distributed discrete logarithm key generation means 901, 1001, 1101 of the first, second, and third member sub-tracking devices 9, 10, 11 each creates a public key and a distributed private key for use for member tracking, stores as a member tracking private key the distributed private key in the respective distributed tracking confidential information storage parts 902, 1002, 1102, and causes the public information disclosing means 101 of the group management device 1 to disclose the public key as a member tracking public key. The member tracking public key is represented as e, and the private keys held by the respective member sub-tracking devices as ε₁, ε₂, and ε₃.

On completion of the pre-processing process and the key creation process, the signature device 2 communicates with the first, second, and third member sub-management devices 6, 7, 8, respectively, and, similarly to the first embodiment, acquires a member certificate (r, ξ) and a private key σ.

The registration means 213 of the signature device 2 performs similar operation to steps A101 to A104 in FIG. 10; it uses as a signature key a random number σ selected from a finite field Z_(q), which is generated by the fifth random number generator 214, to create converted data I_(U) from a signature key, knowledge signature data spk_(U), and identity verification data S_(U). The signature device 2 then transmits the converted data I_(U), knowledge signature data spk_(U), and identity verification data S_(U) to all of the first, second, and third member sub-management devices 6, 7, 8.

On receiving the converted data I_(U), knowledge signature data spk_(U), and identity verification data S_(U), the first, second, and third member sub-management devices 6, 7, 8 each verifies whether or not the knowledge signature data spk_(U) and identity verification data S_(U) are correct, just as in step A105 in FIG. 10.

If both pass the verification, the member sub-management device proceeds to the subsequent process. Otherwise, the process is aborted.

On completion of the verification, just as in the creation of a distributed member management private key, the first, second, and third member sub-management device 6, 7, 8 each calculates distributed information k₁, k₂, k₃ associated with the random number k, which is the generator of the finite field Z_(q). The first member sub-management device 6 outputs

t₁=h^(k) ¹ mod p

the second member sub-management device 7 outputs

t₂=h^(k) ² mod p

and the third member sub-management device 8 outputs

t₃=h^(k) ³ mod p

to the public information disclosing means 101, respectively. In addition,

t=t ₁ ·t ₂ ·t ₃ mod p

is also disclosed by the public information disclosing means 101.

Next, the first, second, and third member sub-management devices 6, 7, 8 each uses the public information t to calculate the first element of a member certificate

r:=I_(U)h^(t) mod p

Since r is calculated using the public information t as input, all the member sub-managers obtain the same value. The first, second, and third member sub-management devices 6, 7, 8 each uses the random numbers k₁, k₂, k₃ that have been generated for distribution purposes and the distributed private keys υ₁, υ₂, υ₃ that are stored in the distributed registration confidential information storage parts 602, 702, 802, to calculate

ξ₁ =k ₁ −rυ ₁ mod q, ξ ₂ =k ₂ −rυ ₂ mod q, and ξ ₃ =k ₃ −rυ ₃ mod q

respectively. Then the first member sub-management device 6 transmits (r, ξ₁), the second member sub-management device 7 transmits (r, ξ₂), and the third member sub-management device 8 transmits (r, ξ₃), respectively to the signature device 2.

The signature device 2 verifies whether or not the received member certificates (r, ξ₁), (r, ξ₂), (r, ξ₃) have duly been created by confirming if

h ^(ξ) ¹ =t ₁ y ₁ ^(−r) mod p, h ^(ξ) ² =t ₂ y ₂ ^(−r) mod p, and h ^(ξ) ³ =t ₃ y ₃ ^(−r) mod p

are satisfied. If this verification passes, the signature device 2 notifies the successful confirmation of the member certificate to the first, second, and third member sub-management devices 6, 7, 8. The signature device 2 then uses as input the second element of all the member certificates received from the first, second, and third member sub-management devices 6, 7, 8, to calculate

ξ=ξ₁+ . . . +ξ_(n)

The signature device 2 stores (r, ξ) as the member certificate in the member information storage part 212, and stores the signature key σ in the confidential information storage part 211.

On receiving a notification of successful verification, the member management device 4 outputs to the member information disclosing means 102 the member certificate transmitted to the signature device 2, the converted data from the signature key received from the signature device 2, the knowledge signature data, and the identity verification data, as a member list indicating the signature device 2.

In the present embodiment, the creation of a signature by the signature device 2 and the verification of a signature by the verification device 3 are performed in a similar manner to the first embodiment.

The member tracking devices 903, 1003, 1103 of the first, second, and third member sub-tracking devices 9, 10, 11 operate as follows.

First, the first, second, and third member sub-tracking devices 9, 10, 11 each decrypts the encrypted data (g′, e′) contained in a given group signature. The member sub-tracking devices 9, 10, 11 each uses the distributed tracking private key ξ₁, ξ₂, ξ₃ stored in the respective distributed tracking confidential information storage parts 902, 1002, 1102 to calculate

g′₁:=g′^(ε1) mod p, g′₂:=g′^(ε2) mod p, g′₃:=g′^(ε3) mod p

respectively. By using the results in the calculation of

r :=g′ ^(ε) /e′=(g′)^(ε) ¹ ^(+ε) ² ^(+ε) ³ /e′=(g′ ₁ ·g′ ₂ ·g′ ₃)/e′ mod p

decrypted data r from the member certificate associated with the signer of the given group signature can be obtained. Similarly to the first embodiment, the first, second, and third member sub-tracking devices 9, 10, 11 each searches the member lists {<I_(u), spk_(U), r, ξ, S_(U)>} that are disclosed in the member information disclosing means 102, to find a member list (I_(u), spk_(U), r, ξ, S_(U)) containing the first element r of the member certificate that matches the first element of the decrypted member certificate r and identifies the signature device 2 associated with the matching member list as the signer of the given member list.

The present embodiment has three member sub-management devices and three member sub-tracking devices, and the process described above is completed successfully only when all these devices operate properly. For generality purposes, let us assume that the n number of member sub-management devices and the n number of member sub-tracking devices exist in the system. Suppose

t<n/2

and the polynomial equation selected by the i-th member sub-management device or the member sub-tracking device during the key creation process is

f _(i)(z)=a _(i0) +a _(i1) z+ . . . +a _(it) z ^(t) mod q

then the member registration and tracking processes will be completed successfully only when at least the t number of member sub-management devices or member sub-tracking devices operate properly.

As described in the foregoing, according to the present embodiment, the computational amount involved in the distributed private key generation process and the distributed member registration process performed by member sub-management devices can be reduced, leading to lower loads on each member sub-management device, because the functions of a member management device are distributed among a plurality of member sub-management devices, and the private key to be used by the plurality of member sub-management devices for calculating a member certificate is selected from a cryptosystem based on a discrete logarithm problem.

Furthermore, according to the present embodiment, the computational amount involved in the distributed private key generation process and the distributed signer identification process performed by member sub-management (*tracking?) devices can be reduced, leading to lower loads on each member sub-tracking device, because the functions of a member tracking device are distributed among a plurality of member sub-tracking devices, and the private key to be used by the plurality of member sub-tracking devices for identifying the signer is selected from a cryptosystem based on a discrete logarithm problem.

According to the present invention, it is possible to provide a secure and reliable group signature, from which devices other than the special one (member tracking device) cannot identify the signer from a group signature, because the signature device safeguards the information concerning a member certificate by using a random number that is not disclosed as an element of the group signature and thus devices without a private key required for member tracking cannot decrypt the information. The present invention also makes it possible to safely divide the functions of a group management device into the function to register a member and the function to identify the signer of a group signature. In addition, the computational amount involved in the distributed private key generation process and the distributed member registration process performed by member sub-management devices can be reduced, leading to lower loads on each member sub-management device, because the functions of a member management device are distributed among a plurality of member sub-management devices, and the private key to be used by the plurality of member sub-management devices for calculating a member certificate is selected from a cryptosystem based on a discrete logarithm problem. Furthermore, the computational amount involved in the distributed private key generation process and the distributed signer identification process performed by member sub-management (*tracking?) devices can be reduced, leading to lower loads on each member sub-tracking device, because the functions of a member tracking device are distributed among a plurality of member sub-tracking devices, and the private key to be used by the plurality of member sub-tracking devices for identifying the signer is selected from a cryptosystem based on a discrete logarithm problem. 

1. A group signature system which creates a group signature to prove that the signer is really a member registered in the group and which confirms whether or not said signer of said group signature thus created is really a member of said group, comprising: a group management device which discloses public information for common use throughout the system, in a referenceable manner from other devices, a signature device which creates, from a member certificate containing a first element and a second element, encrypted data by encrypting said first element through use of a first random number and said public information disclosed by said group management device; creates first converted data by converting said first element through use of a second random number and said public information; creates second converted data by converting the first element through use of a third random number and the public information; creates knowledge signature data from a message to which a signature will be added, a fourth random number, said encrypted data, said first converted data, said second converted data, a signature key which is a private key to be used for the creation of a signature, said first element, and said second element; and outputs as a group signature said encrypted data, said first converted data, said second converted data, and said knowledge signature data, together with said message; and a verification device that verifies whether said group signature has duly been created by using the first and second elements contained in the member certificate of one of the registered members in said group and said signature key, based on said message and said group signature outputted from said signature device and said public information disclosed by said group management device.
 2. The group signature system of claim 1, wherein said signature device creates said knowledge signature data in such a manner that it can be proved that said encrypted data, said first converted data, and said second converted data have been created from the same value and that information concerning said first element, said second element, and said signature key will not be divulged; and said verification device verifies whether said group signature has been created by using the first and second elements contained in the member certificate of one of the registered members in said group and said signature key, without using information concerning said first element, said second element, and said signature key.
 3. The group signature system of claim 1 or 2, further comprising a member management device which, when registering a new member into said group, selects a member registration private key so that the key will be a generator of a finite field having the order of a prime number; uses a discrete logarithm as said member registration private key; obtains a member registration public key, which is a generator of a multiplicative group on a finite field, from said member registration private key; notifies said member registration public key as public information to said group management device; stores said member registration private key in itself; and creates a member certificate using such member registration private key and notifies the resultant member certificate to said signature device.
 4. The group signature system of claim 3, wherein said member certificate is a Nyberg-Rueppel signature which uses said signature key as a discrete logarithm and which is created by using said member registration private key on the converted data from said signature key.
 5. The group signature system of claim 3 or 4, wherein said group management device discloses, in addition to said public information, said member information notified by said member management device in a referenceable manner from other devices.
 6. The group signature system of claim 1 or 2, further comprising a plurality of member sub-management devices which, when registering a new member into said group, assigns one of the distributed values for obtaining the required generator of a finite field having the order of a prime number as its own distributed member registration private key; stores said distributed member registration private key in itself; and uses as a member registration public key the value having said generator as a discrete logarithm; and wherein said signature device obtains a member certificate by communicating with a plurality of said member sub-management devices, and said group management device acquires said member registration public key.
 7. The group signature system of any one of claims 1 to 6, further comprising a member tracking device which selects a member tracking private key so that the key will be a generator of a finite field having the order of a prime number; uses a discrete logarithm as said member tracking private key; obtains a member tracking public key that is a generator of a multiplicative group on a finite field from said member tracking private key; notifies said member tracking public key as said public information to said group management device; stores said member tracking private key in itself; when identifying the signer of a group signature, decrypts the encrypted data contained in said group signature by using said member tracking private key; and, if the result of decryption matches the first element of one of said member certificates which have been disclosed by said group management device, identifies the member of such member certificate as the signer; and wherein said group management device has disclosed said member certificate as said member information; and when creating said encrypted data by encrypting said first element, said signature device uses said member tracking public key as said public information.
 8. The group signature system of any one of claims 1 to 6, further comprising a plurality of member sub-tracking devices, wherein the distributed member tracking private key for each member sub-tracking device is the one to be assigned to itself, among the distributed values for obtaining the generator of a finite field having the order of a prime number; and each of which obtains said distributed member tracking private key so that the member tracking public key has a discrete logarithm as the generator of said finite field and will be a generator of a multiplicative group on a finite field; and each of which stores said distributed member tracking private key in itself; when creating said encrypted data by encrypting said first element, said signature device uses said member tracking public key as said public information; said group management device has disclosed said member certificate as said member information; and during the process of identifying the signer of a group signature, each of said member sub-tracking devices identifies the member of one of said member certificates as the signer, if the decryption result obtained from the result of performing a pre-determined calculation on the encrypted data contained in said member group signature by using each of their said distributed member tracking private keys matches the first element of one of said member certificates that have been disclosed by said group management device.
 9. The group signature system of any one of claims 3, 6, 7 or 8, wherein a finite field on an elliptic curve is used instead of said multiplicative group on a finite field.
 10. A group signature method for a group signature system having a group management device, a signature device and a verification device, which creates a group signature to prove that the signer is really a member registered in the group and which confirms whether or not said signer of said group signature thus created is really a member of said group, comprising the steps of: said group management device disclosing public information for common use throughout the system, in a referenceable manner from other devices; said signature device storing a member certificate consisting of a first element and a second element, creating encrypted data by encrypting said first element using a first random number and said public information disclosed by said group management device, creating first converted data by converting said first element using a second random number and said public information, creating second converted data by converting said first element using a third random number and said public information; creating knowledge signature data from a message to which a signature will be added, a fourth random number, said encrypted data, said first converted data, said second converted data, a signature key which is a private key to be used for the creation of a signature, said first element, and said second element, in such a manner that it can be proved that said encrypted data, said first converted data, and said second converted data have been created from the same value and that information concerning said first element, said second element, and said signature key will not be divulged, and outputting as a group signature said encrypted data, said first converted data, said second converted data, and said knowledge signature data, together with said message, and said verification device verifying whether or not said group signature has been created by using the first and second elements contained in the member certificate of one of the registered members in said group and said signature key, based on said message and said group signature outputted from said signature device and said public information disclosed by said group management device without using the information concerning said first and second elements and said signature key.
 11. A group signature device which forms a group signature system together with a group management device that discloses public information for common use throughout the system in a referenceable manner from other devices and a verification device that confirms whether or not the signer of a group signature is a member registered in said group, and which creates a group signature that can prove that said signer is a member registered in said group, comprising: a member information storage means which stores a member certificate consisting of a first element and a second element, an encrypted data creation means which creates encrypted data by encrypting said first element using a first random number and said public information disclosed by said group management device, a first converted data creation means which creates first converted data by converting said first element using a second random number and said public information, a second converted data creation means which creates second converted data by converting said first element using a third random number and said public information, a knowledge signature creation means which creates knowledge signature data from a message to which a signature will be added, a fourth random number, said encrypted data, said first converted data, said second converted data, a signature key which is a private key to be used for the creation of a signature, said first element, and said second element, in such a manner that it can be proved that said encrypted data, said first converted data, and said second converted data have been created from the same value and that information concerning said first element, said second element, and said signature key will not be divulged, and a signature output means which outputs as a group signature said encrypted data, said first converted data, said second converted data, and said knowledge signature data, together with said message.
 12. A group signature program to be run on a computer to make the computer operate as a group signature device, which forms a group signature system together with a group management device that discloses public information for common use throughout the system in a referenceable manner from other devices and a verification device that confirms whether or not the signer of a group signature is a member registered in said group, in order to create a group signature that can prove that said signer is a member registered in said group, comprising the processes of: a member information storage means storing a member certificate consisting of a first element and a second element; an encrypted data creation means creating encrypted data by encrypting said first element using a first random number and said public information disclosed by said group management device; a first converted data creation means creating first converted data by converting said first element using a second random number and said public information; a second converted data creation means creating second converted data by converting said first element using a third random number and said public information; and a knowledge signature creation means creating knowledge signature data from a message to which a signature will be added, a fourth random number, said encrypted data, said first converted data, said second converted data, a signature key which is a private key to be used for the creation of a signature, said first element, and said second element, in such a manner that it can be proved that said encrypted data, said first converted data, and said second converted data have been created from the same value and that information concerning said first element, said second element, and said signature key will not be divulged; and a signature output means outputting as a group signature said encrypted data, said first converted data, said second converted data, and said knowledge signature data, together with said message. 